Nicolas.Williams at sun.com
Fri Sep 4 13:23:37 EDT 2009
On Fri, Sep 04, 2009 at 07:03:26PM +0200, Luke Howard wrote:
> On 04/09/2009, at 6:35 PM, Greg Hudson wrote:
> >* Under what circumstances would an application need to use the
> >gss_acquire_cred_impersonate_cred interface, instead of just calling
> >gss_init_sec_context with the appropriate proxy credential? Is
> >there an actual reason to provide that API? (And similarly for the
> >corresponding add_ API, of course.)
> I believe this was proposed principally for other mechanisms (perhaps
> you can chime in here, Nico). You could use
> gss_acquire_cred_impersonate_cred() if you wished to impersonate a
> credential handle you acquired explicitly with gss_acquire_cred().
Indeed, this is just for completeness.
Without gss_acquire/add_cred_impersonate_cred() you can only do the
S4U2SELF thing when you're the acceptor of a context, but with it you
can also do the S4U2SELF thing when you just happen to have creds for
two principals around. I could see this being useful to someone, though
I have no use for it at all.
More information about the krbdev